Regulatory Action: DOJ Cracks Down on North Korean IT Worker Facilitators

The Department of Justice announced Wednesday the sentencing of two US citizens for their roles in facilitating North Korean state-sponsored IT worker schemes, a growing threat that has generated over $500 million annually for the DPRK regime while exposing US companies to significant data security and compliance risks.

Matthew Isaac Knoot of Nashville, Tennessee, and Erick Ntekereze Prince of New York each received 18-month prison sentences, plus supervised release terms of one and three years respectively. Both individuals misrepresented themselves to US companies: Knoot posed as a US-based IT worker, while Prince operated a purported IT services firm employing US staff. After securing remote IT roles at US companies, each hosted company-owned laptops in their homes or offices, installing remote access software that allowed North Korean operatives to work from overseas while appearing to log in from US locations.

The scheme generated more than $1.2 million in fraudulent revenue for North Korea, with Knoot earning $15,100 and Prince $89,000 in personal proceeds, which both must repay as restitution. Approximately 70 US companies were victimized, spending a combined $1.5 million to audit systems, remediate compromised devices, and eliminate unauthorized access traces.

This enforcement action is part of a broader federal push against facilitators of North Korean IT worker scams. Last month, Kejia Wang and Zhenxing Wang received combined sentences of 200 months for a larger operation targeting prominent US firms. FBI Cyber Division Assistant Director Brett Leatherman emphasized that the latest sentences send a clear warning to anyone considering similar arrangements.

"These cases should leave no doubt that Americans who choose to facilitate these schemes will be identified and held accountable," Leatherman wrote in the announcement. "Hosting laptops for DPRK IT workers is a federal crime which directly impacts our national security, and these sentences should serve as a warning to anyone considering it."

The North Korean IT worker scheme has expanded beyond tech firms to healthcare, finance, and professional services organizations, all of which hold sensitive consumer and corporate data that can be stolen or held for ransom. According to federal data, the $500 million annual revenue figure does not include the value of data stolen from victim organizations.

What Compliance Requirements Apply

Multiple federal regulations prohibit the conduct seen in these cases, and impose affirmative obligations on US companies to protect their systems and data. Compliance officers must be familiar with the following key rules:

North Korea Sanctions Regulations (31 CFR Part 510)

Effective under the North Korea Sanctions and Policy Enhancement Act of 2016 and subsequent updates, these OFAC regulations prohibit US persons from providing any goods, services, or financial support to DPRK entities or individuals. Facilitating remote IT work for North Korean operatives by hosting laptops, providing internet access, or masking location constitutes a prohibited transaction. Criminal violations carry penalties of up to 20 years in prison and $1 million in fines per offense, while civil penalties can reach $300,000 per violation (adjusted annually for inflation). All companies must screen contractors and employees against the OFAC Specially Designated Nationals (SDN) list, though fake identities used by DPRK operatives mean this control alone is insufficient.

Computer Fraud and Abuse Act (18 USC § 1030)

The CFAA prohibits unauthorized access to protected computers, defined as any device used in interstate or foreign commerce, which includes nearly all company IT systems. North Korean operatives and their facilitators access company networks using fake identities, which constitutes unauthorized access under the law. Violations carry penalties of up to 10 years in prison for first offenses, with increased penalties for repeat violations or cases involving data theft. Companies that fail to implement reasonable safeguards to prevent unauthorized access may face liability for CFAA violations, in addition to breach notification obligations under state and federal data protection laws.

Sector-Specific Data Protection Regulations

Victim companies in regulated sectors face additional compliance risks. Healthcare organizations must comply with HIPAA (45 CFR Parts 160, 162, 164), which requires administrative, physical, and technical safeguards to protect protected health information (PHI). Finance firms are subject to GLBA (15 USC § 6801), which mandates safeguards for customer financial information. All companies handling personal data of California residents must comply with CCPA/CPRA, which requires reasonable security measures to protect consumer data. A single unauthorized access incident by a fake IT worker can trigger audit requirements, regulatory fines, and private litigation under these frameworks.

Identity Verification Laws

The Identity Theft and Assumption Deterrence Act (18 USC § 1028) prohibits the use of fake identities to secure employment, with penalties of up to 15 years in prison. Companies that fail to verify the identity of remote workers may face liability for negligent hiring, in addition to federal enforcement action if they unknowingly facilitate sanctioned entities.

Compliance Timeline for Employers

To mitigate risks associated with North Korean IT worker schemes, compliance officers should follow this timeline to implement and maintain effective controls:

Immediate Actions (0-30 Days)

1. Conduct a full audit of all current remote IT workers and contractors. Verify each worker's identity via government-issued photo ID shown on a live video call, confirm their verified home address matches the location of all company-issued devices, and check that no third-party facilitators are hosting work equipment.
2. Review remote access logs for the past 6 months. Look for logins from foreign IP addresses, use of unauthorized remote access tools such as AnyDesk or TeamViewer, and login patterns that suggest multiple users are accessing a single device.
3. Update hiring protocols for all remote IT roles to require live video interviews with cameras enabled at all times, E-Verify confirmation of work eligibility, and three professional references checked via phone or video call.
4. Notify HR, IT, and hiring managers of red flags associated with fake IT worker schemes: workers who refuse video calls, request laptops be shipped to third-party addresses, use generic US mailing addresses, or have technical qualifications that do not match their communication skills.

Short-Term Actions (30-90 Days)

1. Deploy Mobile Device Management (MDM) software on all company-issued laptops. Enable location tracking, prohibit the installation of unauthorized software, and configure devices to block connections from known foreign IP ranges associated with DPRK operatives.
2. Provide targeted training to HR and IT staff on how to identify and respond to suspicious job applications or worker behavior. Use the CISA Advisory AA23-144A as a training resource, which details common tactics used by North Korean IT workers.
3. Conduct a risk assessment of all third-party IT service providers. Verify the business address, confirm all staff are US-based or properly screened, and review contracts to ensure providers are liable for compliance failures.

Ongoing Actions (Quarterly/Annually)

1. Quarterly review of remote access logs, device compliance reports, and sanctions screening results for all contractors and employees.
2. Annual mandatory training for all staff on emerging cybersecurity threats, including fake IT worker schemes and social engineering tactics.
3. Monitor updates from OFAC, CISA, and the DOJ CCIPS to update policies as new guidance is released.
4. Test incident response plans annually to ensure the organization can quickly identify, contain, and remediate unauthorized access incidents involving remote workers.

Penalties for Non-Compliance

The sentences handed to Knoot and Prince demonstrate that even minor participation in these schemes carries significant consequences. Beyond prison time and restitution, individuals face permanent criminal records, loss of professional licenses, and exclusion from federal contracting. Companies that fall victim to these schemes face remediation costs, regulatory fines, breach notification expenses, and reputational damage. The $1.5 million spent by 70 victim companies to remediate systems is a fraction of the potential cost of a major data breach involving PHI or financial data, which can exceed $10 million per incident for large organizations.

Federal enforcement of these schemes will continue to accelerate, with the FBI and DOJ prioritizing cases that involve national security risks and significant financial harm to US businesses. Compliance officers who implement the above controls will reduce their organization's risk of falling victim to this scheme, while avoiding liability for facilitating sanctioned entities.